So, I don't want to regenerate my CA master certificate, i.e. I don't want to manually replace all the CA certificate file on all my clients. If the ca generate is for the puppetserver AGENT certificate, i.e. only used on one computer, I can do that. But the docs aren't clear to me which it's talking about.
On Monday, March 4, 2019 at 4:56:49 PM UTC-5, Justin Stoller wrote: > > The new ca tool (which is one of the things node clean is calling under > the hood) uses the CA's http api in most cases and requires special > permissions. By default, the api now only allows access to most certificate > endpoints by clients that contain a special cert extension. You can create > a cert for "foo" with that extension by running `puppetserver ca generate > --ca-client --certname=foo` (note this is one the few commands that > requires your server to be offline). If you don't or can't generate a ca > client cert you can add an explict certname that you want to be your > ca-client to the "allow" blocks in the tk auth.conf. > > See: https://puppet.com/docs/puppet/6.3/puppet_server_ca_cli.html for > more info. > > On Mon, Mar 4, 2019 at 12:43 PM jmp242 <[email protected] <javascript:>> > wrote: > >> I've upgraded from puppetserver 5, and after doing so I've gotten an >> error trying to clean a certificate. >> Per the "new method", I've tried >> >> puppet node clean fqdn >> >> This worked, for this node, before the updated with puppetserver 5. >> >> However, after the update I now get an error: >> puppet node clean fqdn >> >> WARN: Unresolved specs during Gem::Specification.reset: >> facter (< 4, >= 2.0.1) >> WARN: Clearing out unresolved specs. >> Please report a bug if this causes problems. >> Error: When attempting to revoke certificate 'fqdn', received: >> Error: code: 403 >> Error: body: Forbidden request: >> /puppet-ca/v1/certificate_status/fqdn (method :put). Please see the server >> logs for details. >> fqdn >> >> I'm not able to find anything by google - any ideas? >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/dc6b8ba8-32dd-4ec5-90ff-719673c8498f%40googlegroups.com >> >> <https://groups.google.com/d/msgid/puppet-users/dc6b8ba8-32dd-4ec5-90ff-719673c8498f%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3199dff4-f956-4e80-8f15-9d3a8faccc78%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
